Agentless Enforcement of Application Management through Virtualized Block I/O Redirection

ABSTRACT

Application authorization management is provided without installation of an agent at an operating system level. A component runs outside of the operating system, in an AMT environment. AMT is utilized to examine the operating system for applications. Identified applications are checked against a whitelist or a blacklist. Responsive to determining that an identified application is not authorized, AMT is used to redirect input/output requests targeting the application to an alternative image, which can, for example, warn the user that the application is not authorized.

TECHNICAL FIELD

This invention pertains generally to computer security, and morespecifically to enforcing application management on a computer withoutrequiring direct interaction with the operating system.

BACKGROUND

Computer security software, such as policy enforcement and configurationmanagement solutions, typically requires deployment of an agent withinthe operating system of the computer being protected. However, the actof agent deployment itself assumes the existence of a level of controland management over the computers to be protected which often does notexist. It is the very computers for which such control is not availablethat are most in need of protection.

Active management technology (AMT), such as Intel's vPro AMT, is ahardware based technology that provides a runtime environment separateand independent from that of the main general purpose operating system.AMT typically uses a secondary processor on the motherboard of acomputer to enable “out of band” interaction with the main operatingsystem. In addition to running independently of the general purposeoperating system, the AMT environment can be communicated withindependently. It would be desirable to leverage the AMT environment toaddress the computer security shortcomings discussed above.

SUMMARY

Application authorization management is provided without installation ofan agent at an operating system level. A component runs outside of theoperating system, in an AMT environment. AMT is utilized to examine theoperating system for applications. Identified applications are checkedagainst a whitelist or a blacklist. Responsive to determining that anidentified application is not authorized, AMT is used to redirectinput/output requests targeting the application to an alternative image,which can, for example, warn the user that the application is notauthorized.

The features and advantages described in this summary and in thefollowing detailed description are not all-inclusive, and particularly,many additional features and advantages will be apparent to one ofordinary skill in the relevant art in view of the drawings,specification, and claims hereof. Moreover, it should be noted that thelanguage used in the specification has been principally selected forreadability and instructional purposes, and may not have been selectedto delineate or circumscribe the inventive subject matter, resort to theclaims being necessary to determine such inventive subject matter.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a block diagram illustrating providing applicationblacklisting and whitelisting without installation of an agent at anoperating system level, according to some embodiments of the presentinvention.

FIG. 2 is a flowchart illustrating steps for application whitelistingwithout installation of an agent at an operating system level, accordingto some embodiments of the present invention.

The Figures depict embodiments of the present invention for purposes ofillustration only. One skilled in the art will readily recognize fromthe following discussion that alternative embodiments of the structuresand methods illustrated herein may be employed without departing fromthe principles of the invention described herein.

DETAILED DESCRIPTION

FIG. 1 illustrates a system for providing applicationblacklisting/whitelisting without installation of an agent at anoperating system level, according to some embodiments of the presentinvention. It is to be understood that although various components areillustrated and described above as separate entities, each illustratedcomponent represents a collection of functionalities which can beimplemented as software, hardware, firmware or any combination of these.Where a component is implemented as software, it can be implemented as astandalone program, but can also be implemented in other ways, forexample as part of a larger program, as a plurality of separateprograms, as a kernel loadable module, as one or more device drivers oras one or more statically or dynamically linked libraries.

As illustrated in FIG. 1, a security component 101 runs “out of band” inan AMT environment 103 on a computer 105, without directly interactingwith the operating system 107. The security component 101 communicateswith the AMT 103 in order to perform an examination of the operatingsystem 107 image for applications 109, all without running an agent onthe operating system 107. The security component then runs a securitycheck on found applications 109 to determine whether they are authorizedto be run on the computer 105. This security check can comprisedetermining whether each found application 109 is on a whitelist 111 ofapplications 109 permitted to be run on the computer 105, and/ordetermining whether the applications 109 are present on a blacklist 113of disallowed entities. This/these list(s) 111/113 can be local, or thechecks can be in the form of a query made to a remote entity (e.g., aserver, not illustrated) on which the list(s) 111/113 is/are maintained.In other embodiments, the security check can comprise an action otherthan a whitelist 111/blacklist 113 check. For example, the securitycheck can be in the form of a heuristic analysis to identify suspiciousapplications and/or checking the application for known malicious codesignatures.

Responsive to determining that an application 109 is not legitimate, thesecurity component 101 uses the virtualization of block input/output(IO) feature of AMT 103 to manage the application 109. Morespecifically, when the security component 101 identifies a suspectapplication 109, it uses the AMT block virtualization to remap theblocks containing the application file 109 (or in some embodiments itsfile table (e.g., MFT) entry), such that the security component 101provides an alternative “image” 115 of the file 109 to the operatingsystem 107, through the AMT 103. In other words, I/O requests for thefile table entry record or its related sectors are redirected toalternative sectors, on which the alternative image 115 is stored. Insome embodiments, the alternative image 115 is stored on the samephysical disk as the original file 109 (which remains unmoved andunmodified). In other embodiments, the alternative image 115 is storedremotely (not illustrated). The redirected alternative image 115 cancomprise, for example, no operation (NOP) code, or code that provides anotification to the user that the application 109 is not approved forexecution on the computer 105. It is to be understood that in differentoperating environments, file table entries are in different internalformats based on the file system instantiation (e.g., FAT and NTFS (MFT)under Windows, for Linux iNodes, etc.). All such file system formats arewithin the scope of different embodiments of the present invention.

It is to be understood that an alternative image 115 is typicallyspecific to a given set of operating systems (e.g., Windows, Linux,etc.). For example, Linux code to notify the user that the application109 is not approved would not likely run under Windows, etc. To addressthis, a group of alternative images 115 can be maintained, one (or more)for each supported platform. Because only so many operating system setswould likely be supported, the number of alternative images 115 used inthe various embodiments would be very manageable.

Note that the main operating system 107 does not contain any type ofagent, nor is it aware that the underlying translation occurs. Notefurther that no changes are actually made to the file system. Instead,the security agent 101 simply redirects I/O requests for the application109 to the alternative image 115.

FIG. 2 illustrates steps for application 109 whitelisting withoutinstallation of an agent at an operating system level, according to someembodiments of the present invention. As illustrated in FIG. 2, thesecurity component 101 communicates 201 with the AMT 103, in order toscan 203 the operating system for applications 109. The securitycomponent 101 compares 205 found applications 109 to a whitelist 111 ofpermitted applications 109. Responsive to determining 207 that a givenapplication 109 is not on the whitelist 111, the security component 101utilizes the AMT virtualization of block IO feature to redirect 209 I/Orequests for the application 109 to an alternative image 115, whichwarns the user that the application 109 is not permitted to run on thecomputer 105.

As will be understood by those familiar with the art, the invention maybe embodied in other specific forms without departing from the spirit oressential characteristics thereof. Likewise, the particular naming anddivision of the portions, modules, agents, managers, components,functions, procedures, actions, layers, features, attributes,methodologies and other aspects are not mandatory or significant, andthe mechanisms that implement the invention or its features may havedifferent names, divisions and/or formats. Furthermore, as will beapparent to one of ordinary skill in the relevant art, the portions,modules, agents, managers, components, functions, procedures, actions,layers, features, attributes, methodologies and other aspects of theinvention can be implemented as software, hardware, firmware or anycombination of the three. Wherever a component of the present inventionis implemented as software, the component can be implemented as ascript, as a standalone program, as part of a larger program, as aplurality of separate scripts and/or programs, as a statically ordynamically linked library, as a kernel loadable module, as a devicedriver, and/or in every and any other way known now or in the future tothose of skill in the art of computer programming. Additionally, thepresent invention is in no way limited to implementation in any specificprogramming language, or for any specific operating system orenvironment. Furthermore, it will be readily apparent to those ofordinary skill in the relevant art that where the present invention isimplemented in whole or in part in software, the software componentsthereof can be stored on computer readable media as computer programproducts. Any form of computer readable medium can be used in thiscontext, such as magnetic or optical storage media. Additionally,software portions of the present invention can be instantiated (forexample as object code or executable images) within the memory of anycomputing device. Accordingly, the disclosure of the present inventionis intended to be illustrative, but not limiting, of the scope of theinvention, which is set forth in the following claims.

1. A computer implemented method for providing application managementwithout installation of an agent at an operating system level, themethod comprising the steps of: running a component outside of theoperating system in an AMT environment; utilizing AMT to examine theoperating system for applications; performing a security check onidentified applications; and responsive to determining that anidentified application is not authorized, using AMT to redirectcorresponding input/output requests to an alternative image.
 2. Themethod of claim 1 wherein performing a security check on an identifiedapplication further comprises performing at least one step from a groupof steps consisting of: determining whether the application is on alocal whitelist of authorized applications; determining whether theapplication is on a remote whitelist of authorized applications;determining whether the application is on a local blacklist ofunauthorized applications; determining whether the application is on aremote blacklist of unauthorized applications; performing a heuristicanalysis of the application; and checking the application for at leastone malicious code signature.
 3. The method of claim 1 wherein using AMTto redirect corresponding input/output requests to an alternative imagefurther comprises: using AMT virtualization of block input/outputfunctionality to redirect the corresponding requests.
 4. The method ofclaim 3 wherein using AMT virtualization of block input/outputfunctionality to redirect the corresponding requests further comprises:using AMT virtualization of block input/output functionality to remapblocks containing the application.
 5. The method of claim 3 whereinusing AMT virtualization of block input/output functionality to redirectthe corresponding requests further comprises: using AMT virtualizationof block input/output functionality to remap blocks containing a filetable entry of the application.
 6. The method of claim 3 wherein usingAMT virtualization of block input/output functionality to redirect thecorresponding requests further comprises: using AMT virtualization ofblock input/output functionality to redirect input/output requeststargeting the application to alternative sectors on which thealternative image is stored.
 7. The method of claim 1 whereinredirecting corresponding input/output requests to an alternative imagefurther comprises performing a step from a group of steps consisting of:redirecting corresponding input/output requests to an alternative imagestored on a local physical medium on which the application is stored;and redirecting corresponding input/output requests to an alternativeimage stored on a remote physical medium.
 8. The method of claim 1wherein redirecting corresponding input/output requests to analternative image further comprises performing a step from a group ofsteps consisting of: redirecting corresponding input/output requests toan alternative image comprising NOP code; and redirecting correspondinginput/output requests to an alternative image comprising code to providea notification to a user concerning the unauthorized application.
 9. Themethod of claim 1 further comprising: maintaining a plurality ofalternative images, each alternative image comprising code for executionin a specific environment.
 10. At least one computer readable mediumcontaining a computer program product for providing applicationmanagement without installation of an agent at an operating systemlevel, the computer program product comprising: program code for runninga component outside of the operating system in an AMT environment;program code for utilizing AMT to examine the operating system forapplications; program code for performing a security check on identifiedapplications; and program code for responsive to determining that anidentified application is not authorized, using AMT to redirectcorresponding input/output requests to an alternative image.
 11. Thecomputer program product of claim 10 wherein the program code forperforming a security check on an identified application furthercomprises program code for performing at least one step from a group ofsteps consisting of: determining whether the application is on a localwhitelist of authorized applications; determining whether theapplication is on a remote whitelist of authorized applications;determining whether the application is on a local blacklist ofunauthorized applications; determining whether the application is on aremote blacklist of unauthorized applications; performing a heuristicanalysis of the application; and checking the application for at leastone malicious code signature.
 12. The computer program product of claim10 wherein the program code for using AMT to redirect correspondinginput/output requests to an alternative image further comprises: programcode for using AMT virtualization of block input/output functionality toredirect the corresponding requests.
 13. The computer program product ofclaim 12 wherein the program code for using AMT virtualization of blockinput/output functionality to redirect the corresponding requestsfurther comprises: program code for using AMT virtualization of blockinput/output functionality to remap blocks containing the application.14. The computer program product of claim 12 wherein the program codefor using AMT virtualization of block input/output functionality toredirect the corresponding requests further comprises: program code forusing AMT virtualization of block input/output functionality to remapblocks containing a file table entry of the application.
 15. Thecomputer program product of claim 12 wherein the program code for usingAMT virtualization of block input/output functionality to redirect thecorresponding requests further comprises: program code for using AMTvirtualization of block input/output functionality to redirectinput/output requests targeting the application to alternative sectorson which the alternative image is stored.
 16. The computer programproduct of claim 10 wherein the program code for redirectingcorresponding input/output requests to an alternative image furthercomprises program code for performing a step from a group of stepsconsisting of: redirecting corresponding input/output requests to analternative image stored on a local physical medium on which theapplication is stored; and redirecting corresponding input/outputrequests to an alternative image stored on a remote physical medium. 17.The computer program product of claim 10 wherein the program code forredirecting corresponding input/output requests to an alternative imagefurther comprises program code for performing a step from a group ofsteps consisting of: redirecting corresponding input/output requests toan alternative image comprising NOP code; and redirecting correspondinginput/output requests to an alternative image comprising code to providea notification to a user concerning the unauthorized application. 18.The computer program product of claim 10 further comprising: programcode for maintaining a plurality of alternative images, each alternativeimage comprising code for execution in a specific environment.
 19. Acomputer system for providing application management withoutinstallation of an agent at an operating system level, the computersystem comprising: means for running a component outside of theoperating system in an AMT environment; means for utilizing AMT toexamine the operating system for applications; means for performing asecurity check on identified applications; and means for responsive todetermining that an identified application is not authorized, using AMTto redirect corresponding input/output requests to an alternative image.20. The computer system of claim 19 wherein the means for using AMT toredirect corresponding input/output requests to an alternative imagefurther comprises: means for using AMT virtualization of blockinput/output functionality to redirect the corresponding requests.